[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: RFC: jail functionality
Quoting James Morris (jmorris@xxxxxxxxxx):
> On Wed, 29 Jun 2005, Stephen Smalley wrote:
>
> > > The attached task-lookup patches?
> >
> > Not sure it provides much value.
>
> If yoy need this, why not look at proper isolation via Xen?
Xen may be overkill for some cases, as you need (almost) a whole OS
for each jail. Zones and bsd jails (I believe) should easily be
able to run hundreds of jails - provided of course they don't all
peak at once.
Don't get me wrong, I'm a big fan of virtualization, and while I
don't get to right now, IBM is putting a lot of effort into Xen.
> LSM is about access control, not virtualization.
And jails require some amount of access control. I don't want to
introduce a new LSM for this, but just put together the various
existing (and not-yet-existing) pieces into an easy to use package.
thanks,
-serge
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
This mailing list archive is a service of Copilot Consulting.